Mercurial > hg > nginx
view src/event/quic/ngx_event_quic_openssl_compat.h @ 9156:36b59521a41c
QUIC: refined sending CONNECTION_CLOSE in various packet types.
As per RFC 9000, section 10.2.3, to ensure that peer successfully removed
packet protection, CONNECTION_CLOSE can be sent in multiple packets using
different packet protection levels.
Now it is sent in all protection levels available.
This roughly corresponds to the following paragraph:
* Prior to confirming the handshake, a peer might be unable to process 1-RTT
packets, so an endpoint SHOULD send a CONNECTION_CLOSE frame in both Handshake
and 1-RTT packets. A server SHOULD also send a CONNECTION_CLOSE frame in an
Initial packet.
In practice, this change allows to avoid sending an Initial packet when we know
the client has handshake keys, by checking if we have discarded initial keys.
Also, this fixes sending CONNECTION_CLOSE when using QuicTLS with old QUIC API,
where TLS stack releases application read keys before handshake confirmation;
it is fixed by sending CONNECTION_CLOSE additionally in a Handshake packet.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 01 Sep 2023 20:31:46 +0400 |
parents | bddd3f76e3e5 |
children | daf8f5ba23d8 |
line wrap: on
line source
/* * Copyright (C) Nginx, Inc. */ #ifndef _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ #define _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ #if defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION \ || defined LIBRESSL_VERSION_NUMBER #undef NGX_QUIC_OPENSSL_COMPAT #else #include <ngx_config.h> #include <ngx_core.h> typedef struct ngx_quic_compat_s ngx_quic_compat_t; enum ssl_encryption_level_t { ssl_encryption_initial = 0, ssl_encryption_early_data, ssl_encryption_handshake, ssl_encryption_application }; typedef struct ssl_quic_method_st { int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, const uint8_t *rsecret, size_t secret_len); int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level, const SSL_CIPHER *cipher, const uint8_t *wsecret, size_t secret_len); int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level, const uint8_t *data, size_t len); int (*flush_flight)(SSL *ssl); int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert); } SSL_QUIC_METHOD; ngx_int_t ngx_quic_compat_init(ngx_conf_t *cf, SSL_CTX *ctx); int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method); int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, const uint8_t *data, size_t len); enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl); enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl); int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, size_t params_len); void SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params, size_t *out_params_len); #endif /* TLSEXT_TYPE_quic_transport_parameters */ #endif /* _NGX_EVENT_QUIC_OPENSSL_COMPAT_H_INCLUDED_ */